1. Related Information
The present invention is related to the one described in U.S. patent application entitled “An Apparatus for Implementing Virtual Private Networks,” Ser. No. 08/874,091, which issued as U.S. Pat. No. 6,173,399 on Jan. 9, 2001, assigned to the assignee of the present application and filed concurrently herewith.
2. Field of the Invention
The present invention relates to the field of data communications. More particularly, the present invention relates to techniques for implementing secure virtual private networks over public or otherwise insecure data communications infrastructures.
3. Background
In recent years organizations have come to rely heavily on the ability to transmit electronic data between members of the organization. Such data typically includes electronic mail and file sharing or file transfer. In a centralized, single site organization, these transfers of electronic data are most commonly facilitated by a local area network (LAN) installed and operated by the particular enterprise.
Preventing unauthorized access to data traversing an enterprise's LAN is relatively straightforward. This applies to both unauthorized accesses by members of the enterprise and, more importantly, to third parties on the outside. As long as intelligent network management is maintained, unauthorized accesses to data traversing an enterprises internal LAN are relatively easily avoided. It is when the enterprise spans multiple sites that security threats from the outside become a major concern.
For distributed enterprises that desire the conveniences of the above-described electronic data transfers, there are several options that exist today, but each with associated disadvantages. The first option is to interconnect the offices or various sites with dedicated, or private communications connections often referred to as leased lines. This is the traditional method organizations use to implement a wide area network (WAN). The disadvantages of implementing an enterprise owned and controlled WAN are obvious: they are expensive, cumbersome and frequently underutilized if they are established to handle the peak capacity requirements of the enterprise. The obvious advantage to this approach is that the lines are dedicated for use by the enterprise and are therefore secure, or reasonably secure, from eavesdropping or tampering by intermediate third parties.
An alternative to the use of dedicated communications lines in a wide area network is for an enterprise to handle intersite data distributions over the emerging public network space. Over recent years, the Internet has transitioned from being primarily a tool for scientists and academics to a mechanism for global communications with broad ranging business implications. The Internet provides electronic communications paths between millions of computers by interconnecting the various networks upon which those computers reside. It has become commonplace, even routine, for enterprises, even those in nontechnical fields, to provide Internet access to at least some portion of the computers within the enterprise. For many businesses this facilitates communications with customers, potential business partners as well as the distributed members of the organization.
Distributed enterprises have found that the Internet is a convenient tool to provide electronic communications between members of the enterprise. For example, two remote sites within the enterprise may each connect to the Internet through a local Internet Service Provider (ISP). This enables the various members of the enterprise to communicate with other sites on the Internet including those within their own organization. The limiting disadvantage of using the Internet for intra-enterprise communications is that the Internet is a public network space. The route by which data communication travel from point to point can vary on a per packet basis, and is essentially indeterminate. Further, the data protocols for transmitting information over the various networks of the Internet are widely known, and leave electronic communications susceptible to interception and eavesdropping with packets being replicated at most intermediate hops. An even greater concern arises when it is realized that communications can be modified in transit or even initiated by impostors. With these disconcerting risks, most enterprises are unwilling to subject their proprietary and confidential internal communications to the exposure of the public network space. For many organizations it is common today to not only have Internet access provided at each site, but also to maintain the existing dedicated communications paths for internal enterprise communications, with all of the attendant disadvantages described above.
While various encryption and other protection mechanisms have been developed for data communications, none completely and adequately addresses the concerns raised for allowing an enterprise to truly rely on the public network space for secure intra-enterprise data communications. It would be desirable, and is therefore an object of the present invention to provide such mechanisms which would allow the distributed enterprise to rely solely on the public network space for intra-enterprise communications without concern for security risks that presently exist.